IPv6 & Linux - HowTo - Part 4
Version: 3.23q from 2002-11-14
(P) & (C) 1997-2002 by Peter Bieringer <[email protected]>, see copyright notice for more details
Original site of publishing: http://www.bieringer.de/linux/IPv6/
; suggestions, comments and improvements are welcome!
Additional Applications
If you miss hint for the old inet6-apps based stuff, please goto Obsoletes
This section is now in building progress again, using glibc-2.1 based
software...growing slowly (depending on given time)
For quickstart, look at given URLs on the status page
Contents
- Electronic mail (SMTP & POP)
- World Wide Web (HTTP)
- SMTP
- Network autoconfiguration
- Secure shell for protected connection over the Internet
- Point-to-Point-Protocol
- TCP Network throughput measurements
apache|apache2 (HTTP server)
Why?
apache is a widely used HTTP server
- Versions 1.3.x are IPv6-enabled by the KAME project (no longer recommended)
- Versions 2.0.x are IPv6-enabled by maintainers, (since 2.0.35 now
in General Availability state), compiles normally clean with native
IPv6 support (recommended now)
URLs:
By me tested version and filename:
- 1.3.14: (do not use this because
versions below 1.3.26 [except backpatched
ones] are remote exploitable)
- 1.3.19: (do not use this because versions
below 1.3.26 [except backpatched ones]
are remote exploitable)
- Additional information: patch and configure options for EAPI and
SSL are disabled because of interferences with the IPv6 enabling patch
- 2.0.43: (recommended now, versions below contain security holes)
Contents:
After rebuild a complete apache package
Rebuilding of packet, installation
- Install SRPMS (destination is normally /usr/src/redhat/SOURCES/
):
- rpm -ihv apache-version-release.src.rpm
- Copy the IPv6 enabling patch also to source directory:
- cp pathto/apache-version-v6-ipv6-release
.diff.gz /usr/src/redhat/SOURCES/
- Copy the new SPEC fileMove into the source directory:
- cd pathto/apache-specfile-version.spec
/usr/src/redhat/SPECS/
- Rebuild package (good luck!)
- rpm -ba /usr/src/redhat/SPECS/apache-specfile-version.spec
- You should get 3 new packages afterwards (stored in /usr/src/redhat/RPMS/i386/
)
- apache-version-release+IPv6.i386.rpm
- apache-devel-version-release+IPv6.i386.rpm
- apache-manual-version-release+IPv6.i386.rpm
- Make a backup of your existing apache configuration
- tar czf /root/httpd-conf-`date +'%Y%m%d-%H%M%S'` /etc/httpd/conf/
- Install (be sure what to do):
- Replace existing package
- rpm -Fhv /usr/src/redhat/RPMS/i386/apache-version-release
+IPv6.i386.rpm
- Install on a native system
- rpm -ihv /usr/src/redhat/RPMS/i386/apache-version-release
+IPv6.i386.rpm
- Configure and restart the service (you should know how to do this...)
Configuration
Be sure to enable only the really needed modules in /etc/httpd/conf/httpd.conf
. Each more module can be a potential security hole. For normal run, only
following modules are needed:
config_log_module, agent_log_module, referer_log_module, mime_module,
negotiation_module, includes_module, autoindex_module, dir_module,
alias_module, access_module, auth_module, setenvif_module
Here is an example of a configuration shown for an IPv6 only listening
virtual webserver:
<VirtualHost 3ffe:400:100::1>
ServerAdmin [email protected]
ServerName www.ipv6.bieringer.de
DocumentRoot /somewhere/pub
CustomLog "/somewhere/logs/www.ipv6.bieringer.de-log" combined
ErrorLog "/somewhere/logs/www.ipv6.bieringer.de-error"
<Directory "/somewhere/pub">
AllowOverride AuthConfig Limit
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
thttpd (HTTP server)
Section outdated!
Why?
thttpd is a native IPv6 supporting HTTP server (not fullfeatured
like apache, but has native IPv6 support
and can be configured to be very secure!)
URLs:
By me latest tested version and filename:
Sure old and unsecure, so please use latest available
version!
http://www.acme.com/software/thttpd/thttpd-2.20.tar.gz
Contents:
| Application |
Path |
Description |
| thttpd |
/usr/local/sbin/thttpd |
HTTP server |
Unpacking, configuration and installation
Similar to other software packages described here
Source package contains configure, therefore no special hints
are needed.
See included INSTALL and README for details
- Move into the source directory:
- Unpack the new source:
- tar xzf pathto/thttpd-version.tar.gz
-C /usr/src
- Move into the source directory:
- cd /usr/src/thttpd-version
- Run configure
- Now compile:
- make clean; make
You should get no errors!
- And install:
- make installthis; make install-man
Manual and binary are copied (normally) to the directories in /usr/local
See online manpage for further details.
Hints:
- By specifying an IPv6 address for binding to (e.g. with option "
-h"), thttpd will bind only to that and not to other IPv4 addresses.
So you can setup an IPv6 only HTTP server!
- You cannot bind to an IPv6 only port, if this port is already bind
by an IPv4 application with "bind option *"
- I got this in the case of a running IPv4 apache on the same host
- Solution: change apache binding to a dedicated IPv4 address
- old: Listen *:80
- new: Listen 192.168.1.1:80
Squid (HTTP proxy)
Why?
Nowadays most modern browsers like mozilla, konqueror or netscape6 already
allow IPv6 connections on IPv6 enabled systems. Unfortunately using a proxy
(e.g. for filtering issues) they cannot decide between IPv4 or IPv6 connections.
Therefore an IPv6 enabled proxy is needed.
Good news: the Squid developers have already IPv6 enabled the current
developer version 2.5
ToDo
| Distribution |
RHL 6.2 |
RHL 7.1 |
RHL 7.2 |
RHL 7.3
|
| ToDo |
not recommended
update to RHL 7.3 first |
not tested
update to RHL 7.3 first |
compiling and install
CVS version 20011113
now outdated
update to RHL 7.3 first
|
compiling and install
CVS version 20021114
|
URLs:
By me tested version:
- CVS snapshot taken 20011113, known bugs: connection to IPv6 only
sites only work with a patch (
ipv6onlyrequestbug.patch), some other options won't work, still in progress:
http://[fec0::1]/ style URLs and IPv6 EPRT FTP
- CVS snapshot taken 20021114: known bugs: http://[fec0::1]/
style URLs not supported, perhaps more
Requires:
- cvs, openldap-devel, pam-devel (installed from distribution)
- automake >= 1.5 (Red Hat Linux 7.3 users have to install
additional RPM automake15-$version.noarch.rpm and patch bootstrap.sh,
see below for more)
Source: get from CVS
- Create a CVS directory
- Log into CVS server
- Get current tagged version (IPv6 enabled squid)
- Create tar-ball for backup and RPM issues
- mv squid-ipv6 squid-ipv6-$DATEcvs
- tar czf squid-ipv6-$DATEcvs.tgz squid-ipv6-$DATEcvs
Tar-Ball: Unpacking, compilation and installation
- Move into the source directory, create a main directory and change
into it
- $ cd /usr/src; mkdir squid; cd squid
- Unpack the new source:
- $ tar xzf squid-ipv6-$DATEcvs.tgz
- Move into the source directory:
- Patch bootstrap.sh file for usage with automake-1.5 on
RHL 7.3
- $ diff -u bootstrap.sh.orig bootstrap.sh
--- bootstrap.sh.orig Thu Nov 14 20:30:30 2002
+++ bootstrap.sh Thu Nov 14 20:30:53
2002
@@ -20,9 +20,9 @@
mkdir -p cfgaux
# Bootstrap the autotool subsystems
-bootstrap aclocal
+bootstrap aclocal-1.5
bootstrap autoheader
-bootstrap automake --foreign --add-missing
+bootstrap automake-1.5 --foreign --add-missing
bootstrap autoconf
echo "Autotool bootstrapping complete."
- Run bootstrap
- Configure the compile options:
- cvs-20011113 (based on squid 2.4 included in Red Hat Linux 7.2)
- $ ./configure --exec_prefix=/usr --bindir=/usr/sbin
--libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid
--enable-poll --enable-removal-policies="heap,lru" --enable-storeio="aufs,diskd,ufs"
--enable-carp--with-pthreads --enable-basic-auth-helpers="LDAP,NCSA,PAM,SMB,MSNT"
--enable-ipv6
- Information: currently not working configure options (mostly missing
IPv6 support): --enable-storeio="coss"--enable-delay-pools
--enable-htcp --enable-linux-netfilter --enable-snmp
- cvs-20021114 (based on squid 2.4 included in Red Hat Linux 7.3):
- $ ./configure --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid
--localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-removal-policies="heap,lru"
--with-pthreads --enable-storeio="aufs,diskd,ufs" --enable-ipv6 --enable-basic-auth-helpers="LDAP,NCSA,PAM,SMB,MSNT"
- Information: currently not working configure options (mostly missing
IPv6 support): --enable-storeio="coss"--enable-delay-pools
--enable-linux-netfilter --enable-snmp
- Now compile:
- $ make clean; make
You should get no errors!
- And install:
- Be careful, if already a squid proxy is running
RPM: build an IPv6 enabled squid-RPM from CVS
Note: squid developers don't want to see any squid
RPM from CVS source in the wild - therefore keep source and binary packages
private - please!
cvs20011113 (outdated)
- Copy CVS tar-ball to /usr/src/distribution/SOURCES/
- Copy additional patches given at ftp://ftp.bieringer.de/pub/linux/IPv6/squid/
also to /usr/src/distribution/SOURCES/
- Copy spec file given at ftp://ftp.bieringer.de/pub/linux/IPv6/squid/
to /usr/src/distribution/SPECS/
- Build source and binary packages
- rpm -ba /usr/src/distribution/SPECS/squid-ipv6-version
.spec
- Install package
cvs20021114
- Install RHL 7.3 squid source RPM (from RHL updates)
- $ rpm -ihv /path/to/redhat/updates/7.3/en/os/SRPMS/squid-2.4.STABLE6-6.7.3.src.rpm
- Copy CVS tar-ball
- $ cp /path/to/squid-ipv6-$DATEcvs.tgz %{_topdir}/SOURCES/
- Copy additional patches given at ftp://ftp.bieringer.de/pub/linux/IPv6/squid/
also
- $ cp /path/to/squid-*.patch %{_topdir}/SOURCES/
- Copy spec file given at ftp://ftp.bieringer.de/pub/linux/IPv6/squid/
- $ cp /path/to/squid-*.spec %{_topdir}/SPECS/
- Build binary package
- $ rpm -bb %{_topdir}/SPECS/squid-ipv6-$version.spec
- Install package (probably as root)
See configuration issues below now before starting, this adaptions still
not done by building process (too lazy...).
Configuration issues
You have to adjust IPv4 only addresses to IPv6 ones like
- Binding of addresses
udp_outgoing_address ::
udp_incoming_address ::
tcp_outgoing_address ::
- ACLs
acl localhost src ::ffff:127.0.0.1 ::1
acl to_localhost dst ::ffff:127.0.0.1 ::1
acl all src ::/0
acl sitelocalsrc src fec0::/48
acl linklocalsrc src fe80::/64
acl globaldst dst 3ffe::/16 2000::/3
acl ipv4src src ::ffff:0:0/96
acl ipv4dst dst ::ffff:0:0/96
- Disable WCCP
mozilla (HTTP client/browser)
Why?
mozilla is a native IPv6 supporting HTTP browser
ToDo
| Distribution |
RHL 6.2 |
RHL 7.1, 7.2 |
RHL 7.3, 8.0 |
| ToDo |
install newest available binary |
update to RHL 7.3 |
install from distribution/updates |
URLs:
By me tested version and filename:
mozilla-1.0.1-2.7.3 from RHL 7.3
Known issues:
The automatic proxy configuration script doesn't take care of IPv6 addresses,
so in case of using a local proxy for remote IPv4 hosts, this proxy is also
used for remote IPv6 hosts. There is no switch available like "do not use
proxy for IPv6 connection", therefore you have to enable your proxy for
IPv6 or disable proxy usage completly or per URL.
Contents:
If you build a new version from source:
| Application |
Path |
Description |
| mozilla |
/opt/mozilla |
HTTP browser |
Unpacking, configuration and installation
Perhaps additional needed RPM packages for compiling: glib-devel,
gtk+-devel, ORBit-devel
If "configure" informed you that there are missing also other
things, try my utility rpmfsu
to find the relating RPM package.
Similar to other software packages described here
Source package contains configure, therefore
no special hints are needed.
See included INSTALL and README
for details
Hint: for compiling this tarball, you need about
1.3 GByte disk space (and in my case don't run afterwards).
But don't be worry, the available binary tarball
is already IPv6 enabled. Unpack the binary package somewhere and run "mozilla"
in the binary directory.
- Change to directory /opt
- Unpack tarball
- tar xzf pathto/mozilla-i686-pc-linux-gnu-version
.tar.gz
- Rename created directory
- Run mozilla
A list of sites for testing IPv6 HTTP transport
is available at IPv6.org: http://www.ipv6.org/v6-www.html
You can also try my server at home, perhaps I'm
online, dynamic tunnel is up and my IPv6 only webserver is running: http://gate.muc.ipv6.bieringer.de/
SMTP server Postfix
IPv6 extension is currently maintained by Dean Strik <dean at ipnet6
dot org>
Why?
Postfix isn't IPv6-enabled out of the box
ToDo
| Distribution |
RHL 6.2 |
RHL 7.1, 7.2 |
RHL 7.3, 8.0 |
| ToDo |
untested |
update to RHL 7.3 |
see now
|
URLs:
Version and filename of the packet:
Latest version I have tested is postfix 1.1.11 snapshot 20021029 with
IPv6+TLS tls+ipv6-1.7pre3-pf-1.1.11-20021029.patch (soon without pre available)
Package: Rebuilding and installation
- Get files
- src rpm from RHL 8.0 from CD or RHL mirror (postfix-1.1.11-5.src.rpm)
- latest snapshot tarball from postfix mirror (postfix-1.1.11-20021029.tar.gz)
- latest TLS+IPv6 patch (IPv6+TLS tls+ipv6-1.7pre3-pf-1.1.11-20021029.patch)
- modified and extended spec file (postfix-1.1.11.20021029-5.AERAsec.6.spec)
- Change to your favorite package rebuild user (optional, but recommended)
- Install source rpm
- rpm -ihv path/to/postfix-$version-$release.src.rpm
- Copy latest snapshot tarball into %_topdir/SOURCES (%_topdir is ususally
/usr/src/redhat)
- cp path/to/postfix-$version-$snapshot.tar.gz
%_topdir/SOURCES
- Copy TLS+IPv6 patch into %_topdir/SOURCES
- cp path/to/tls+ipv6-$patchversion-pf-$version-$snapshot.patch
%_topdir/SOURCES
- Copy spec file into %_topdir/SPECS
- cp path/to/postfix-$version.$snapshot-$release.AERAsec.$specversion.spec
%_topdir/SPECS
- Build binary package
- rpm --bb %_topdir/SPECS/postfix-$version.$snapshot-$release.AERAsec.$specversion.spec
- Install/freshen package (postfix-1.1.11.20021029-5.7.3.AERAsec.6.i386.rpm)
- rpm -i|F -hv %_topdir/RPMS/$target/postfix-$version.$snapshot-$release.$rhlrelease.AERAsec.$specversion.$target.rpm
- service postfix start
Check
- IPv6 portbinding
- # netstat -nlptu |grep master
tcp 0
0 :::587
:::*
LISTEN 29023/master
tcp 0
0 :::465
:::*
LISTEN 29023/master
tcp 0
0 :::25
:::*
LISTEN 29023/master
- Logging
- Your mail log, usually /var/log/maillog should now contain
- example for a loopback IPv4 connect:
- postfix/smtpd[$pid]: connect from localhost[::ffff:127.0.0.1]
- example for a remote IPv6 relay:
- postfix/smtp[$pid]: $qid: to=<[email protected]>,
relay=mx.domain.example[3ffe:ffff::1], delay=3, status=sent ($mxresponse)
Router ADVertisement Daemon
Maintained by Nathan Lutchansky <lutchann at litech dot org> and
Pekka Savola <pekkas at netcore dot fi>
Why?
If you want to test IPv6 subnet autoconfiguration initialized by Linux
routers therefore you need the router advertisement daemon.
ToDo
| Distribution |
RHL 6.2 |
RHL 7.1, 7.2 |
RHL 7.3, 8.0 |
| ToDo |
rebuild SRPMS |
update to RHL 7.3 |
install from distribution |
URLs:
Version and filename of the packet:
Latest version I have tested is 0.7.1-1 from RHL 7.3
Additional information:
The version distributed with RH 7.1 powertools has a bug in the
startup script:
- Fix:
-[ x${NETWORKING_IPV6} = "xyes" ] && exit 0
+[ x${NETWORKING_IPV6} = "xyes" ] || exit 0
Contents:
| Application |
Path |
Description |
| radvd |
/usr/sbin/radvd |
Router advertisement daemon |
| radvdump |
/usr/sbin/radvdump |
Router advertisement dump (debug) |
Package: Rebuilding and installation
- Rebuild package
- rpm --rebuild your-path/radvd-version.src.rpm
- Install package
- rpm -ihv /usr/src/redhat/RPMS/target/radvd-version.target.rpm
Tar-Ball: Unpacking, compilation and installation (last review on 0.7.0)
- Unpack the source:
- tar xzf your-path/radvd-version.tar.gz
This will create directory radvd-version in your current directory.
- Move into the source directory:
- Configure the compile options:
- ./configure --sysconfdir=/etc --with-pidfile=/var/run/radvd/radvd.pid
- Now compile:
- make clean; make
You should get no errors!
- And install:
- make install
Manuals and binaries are installed to the subdirectories in /usr/local
- Copy the radvd.conf sample into the config directory:
- cp radvd.conf.example /etc/radvd.conf
- Install the startup script file, an example you can get here /etc/rc.d/init.d/radvd or from the
redhat subdirectory of the source tree
- cp radvd /etc/rc.d/init.d/
- chmod 0755 /etc/rc.d/init.d/radvd
- Check given values in the startup script file /etc/rc.d/init.d/radvd
# Location of radvd binary
BINRADVD="/usr/local/sbin/radvd"
# Location of radvd config file
CONFRADVD="/etc/radvd.conf"
# Additional RADVD options (see manpage for more details)
OPTIONSRADVD=""
# No additional option
General: Configuring and starting
- Set proper values by editing the config file /etc/radvd.conf
. See the manual pages for information on configuration directives.
- Try starting
- /etc/rc.d/init.d/radvd start
- If ok, take a look into the syslog (where radvd normally
logs events)
- tail -f /var/log/messages or tail -f /var/log/daemon
(depending on the settings in your syslog config file /etc/syslog.conf
)
Secure SHell (OpenSSH)
IPv6-enabled by the maintainers
Why?
The original ssh can't handle IPv6 addresses and can't be used in a mixed
environment. So a ported version is needed.
ToDo
| Distribution |
RHL 6.2 |
RHL 7.1, 7.2 |
RHL 7.2 |
| ToDo |
rebuild SRPMS |
update to 7.3 |
install from distribution |
URLs
- Main site: http://www.openssh.com/
- RedHat RPM packages
- for 6.2 the OpenSSL as binary at ftp://ftp.redhat.com/redhat/updates/6.2/
- for 7.0 and later: included in distribution
Additional information:
Because of a major security issue, you should update
to versions 3.1 (backpatched) or up from 3.4 immediately!
Version and filename of the packet:
Latest version I've tested for IPv6 is 3.1p1-6 from RHL 7.3
Installation:
- Download RPM packages, remove existing ssh-RPMs (if already installed)
and install openssl and openssh packages
Configuration:
- For enabling option to bind on IPv6 port edit
the configuration file: /etc/ssh/sshd_config
- #ListenAddress 0.0.0.0
- ListenAddress ::
- Add "-6" in startup script to enable
IPv6: /etc/rc.d/init.d/sshd
- /usr/sbin/sshd -6 && success
"sshd startup" || failure "sshd startup
Usage:
- Test, if sshd listen on IPv6 port:
[root@gate i386]# netstat -A inet6 -ln | grep 22
tcp 0
0 :::22
:::*
LISTEN
- Client using IPv6:
- ssh -6 ipv6address
- ssh -6 hostname.ipv6.domain.net
- Hint: don't worry, if you see no listening IPv4 port, an connect
over IPv4 will work, too, client using IPv4:
PPP
IPv6-enabled by the maintainers
Why?
The original ppp binary package distributed by Red Hat isn't IPv6 enabled.
ToDo
First, test your installed pppd, perhaps it is already IPv6 enabled:
strings `which pppd` | grep ipv6 should show e.g. IPv6 options
which are mentioned in the man page.
| Distribution |
RHL 6.2 |
RHL 7.1 |
RHL 7.2 |
| ToDo |
untested |
untested |
rebuild source RPM with IPv6 enabling patches |
URLs
- IPv6 enabling patches (for version 2.4.1)
Version and filename of the packet:
Latest version I've tested for IPv6 is 2.4.1-2 (IPv6-enabled rebuild
on a RHL 7.2 system)
IPv6 enabled rebuild and installation:
- Download (or copy from CD) source RPM package
- Install source RPM (will be stored at SOURCES and SPEC)
- rpm -ihv ppp-version-release.src.rpm
- Copy given patches to subdirectory SOURCES
- Copy given spec file to subdirectory SPECS (or apply diff)
- Build binary package
- rpm -bb ppp-version-release.ipv6.subrelease
.spec
- Update existing version
- rpm -Fhv ppp-version-release.ipv6.subrelease
.i386.rpm
Configuration and use:
See scripts/current/
for details
TTCP
Section outdated, use Iperf instead.
IPv6-ported some time ago by Marc Mosthav, minor glibc-2.1 fix by Peter
Bieringer <pb at bieringer dot de>
Why?
It's for measuring the TCP network throughput from one host to another.
The original software can't handle IPv6 addresses and can't be used in
a mixed environment. So a ported version is needed.
Version and filename of the packet:
Current IPv6 enabled release is ttcp/ttcp+ipv6-2.tar.bz2
Contents:
| Application |
Path |
| ttcp6 |
/usr/local/bin/ttcp6 |
Unpacking, configuration and installation
- Move into the source directory, create a main directory and change
into it
- cd /usr/src; mkdir ttcp; cd ttcp
- Unpack the new source:
- tar xIf your-path/ttcp-version.tar.bz2
- Move into the source directory:
- Now compile:
- make clean; make
You should get no errors!
- And install:
- make install
The binary is copied to the directory /usr/local/bin
Usage:
- Server: ttcp6 -r
- Client: ttcp6 -t HOSTNAME
Try also ttcp6 {-?|-h} for more information.
PTCP
Section outdated, use Iperf instead.
IPv6-ported some time ago by Marc Mosthav, minor glibc-2.1 fix by Peter
Bieringer <pb at bieringer dot de>
Why?
It's for measuring the TCP network throughput by roundtrips.
The original software can't handle IPv6 addresses and can't be used in
a mixed environment. So a ported version is needed.
Version and filename of the packet:
Current IPv6 enabled release is ftp://ftp.bieringer.de/pub/linux/IPv6/ptcp/ptcp+ipv6-2.tar.bz2
Contents:
| Application |
Path |
| ptcp6 |
/usr/local/bin/ptcp6 |
Unpacking, configuration and installation
- Move into the source directory, create a main directory and change
into it
- cd /usr/src; mkdir ptcp; cd ptcp
- Unpack the new source:
- tar xIf your-path/ptcp-version.tar.bz2
- Move into the source directory:
- Now compile:
- make clean; make
You should get no errors!
- And install:
- make install
The binary is copied to the directory /usr/local/bin
Usage:
- Server: ptcp6 -s
- Client: ptcp6 -c HOSTNAME
Try also ptcp6 {-?|-h} for more information.